How much is a data breach worth?

In 2018 around 500,000 travellers, as usual, visited one of their preferred airline companies’ websites to book tickets for some of their long-anticipated holiday destinations, business trips and important family visits.

They trusted their personal and banking information to simply do what millions of others do around the world - buy air tickets. What they didn’t realise was that the website they used to buy tickets was hacked, and the data they shared was intercepted by a fraudulent website. This wasn’t immediately clear to the travellers, or to British Airways who “owned” the website. The result was that between June and September 2018 thousands of credit card details, names and email addresses were stolen.[1]

After the investigation, Elizabeth Denham, the UK Information Commissioner said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."[2]

The General Data Protection Regulation (GDPR) clearly indicates the maximum penalty up to 4% of turnover for breaching data protection requirements. British Airways eventually got a record-breaking fine of £183M as a result of infringements of the GDPR. [3]

British Airways ended up being not the only air company with a data breach; in March 2020 Cathay Pacific was fined £500K, which is less than British Airways were fined, but still a significant sum.[4] The list of data breaches goes on. Facebook got a bill of £500k for mishandled user data following the Cambridge Analytica scandal back in 2017. Equifax was fined £500k for failing to protect personal data.[5] Marriott hotels were fined £123M as a result of compromising guests’ personal data including names, dates of birth.[6]

Origins of the breaches vary from sophisticated hacking schemes of website platforms to simple negligence of customer subscription preference; Newday was fined £230K for over 44 million spam emails.[7] In 2015 Comcast was fined for inadvertently publishing personal information on its 75,000 customers. A settlement was reached at US$33 million with a payout of US$100 to each impacted customer.[8]

In the past decade, the value of data has been increasing exponentially. The opportunity to capitalise on personal data is becoming a valuable business area to many as technologies such as AI and blockchain amplify that value even more. With the rise in the value of data, the costs of sourcing it, storing, securing and losing control of it, as a result of data breaches, also rise.

Why is it important?

On average, every person generates around 1.7 megabytes[9] of data per second by using online commercial services - social media, browsing websites, posting photos or sharing messages, engaging with IoT, and so on. In many cases these pieces of information are shared with 3^rd parties we may not always be aware of. In this massive mix of data, we also share a lot of personal data, personally identifiable information (PII) and non-personal data.[10] PII data, that may contain personal security numbers, mailing or email addresses, phone numbers, etc., is what actually makes the cost of the data loss very high. The more PII data lost, the higher the cost.

In the past several months’ significant amounts of PII data has been captured by the growing number of COVID-19 tracing apps, as they appeared in the market with the intent to battle the spread of the virus. On the flip side of battling the virus, it opens a Pandora’s box. While some platforms collect essential data, some ask for more personal details.[11] One precedent took place in Qatar - a mandatory tracing app developed by the government exposed personal information that included names, ID’s, health status, location, etc. [12]. The leak of PII was quickly fixed but triggered discussion in the wider community: whether data protection regulations are a concern. EU members have already flagged that data collected through such apps need to adhere to data protection regulations.[13]

So, what is the cost?

In 2019 IBM Security and the Ponemon Institute conducted research to identify the financial impact on organisations off the back of data breaches. To estimate the cost of the breach, they used an activity-based costing (ABC) method. [14]

According to their findings, the range in cost per impacted record varies from US$79 to US$429 per individual. The average global data breach cost is currently assessed to be US$3.92M per day, with an average cost per lost record of US$150. The highest industry average cost of US$6.45M per day falls in the Healthcare category. [15]

A data breach does not only come down to the size of a fine but has a significant impact on the brand, business reputation and customer trust.[16] With the rise of online commerce and data consumption, organisations need to be prepared to respond to data breach threats. Consider increasing automated solutions and reduce manual data interventions. Set up a response team, establish frameworks for the management of sensitive data. Invest in governance and reduce IT complexities. [17]

Investments in data protection need to be a businesses priority. Customer experience and data safety is an added value, above short term benefits. With the increase of data sharing in e-commerce and data consumption, we’ll see more cases of data breaches along with cost increases in future. Data protection needs to become one of the central points of business security and growth.

Investment in data protection needs to be an integral part of any business growth. Let’s keep the data safe.